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AMENDMENT 

Amendments to the Specification: 

Please insert the following new paragraphs starting at line 17 of page 3: 

SUMMARY 

Methods and systems are described for allocating network resources of a 
distributed virtual system to support managed, network-based services. 
According to one embodiment, a virtual router (VR)-based switch having multiple 
processing elements is provided that is configured for operation at an Internet 
point-of-presence (POP) of a service provider. A network operating system 
(NOS) is provided on each of the processing elements. The resources of the VR- 
based switch are segmented between at least a first subscriber of the service 
provider and a second subscriber of the service provider by associating a first set 
of VRs with the first subscriber, associating a second set of VRs with the second 
subscriber, mapping the first set of VRs onto a first set of the processing elements, 
mapping the second set of VRs onto a second set of the processing elements. 
Then, a first and second set of customized services are configured, each including 
two or more of firewalling, virtual private networking, encryption, traffic shaping, 
routing and network address translation (NAT), to be provided by the VR-based 
switch on behalf of the first and second subscriber, respectively. The first set of 
customized services is configured by allocating a first service object group within 
the first set of VRs. The first service object group includes a service object 
corresponding to each service of the first set of customized services and each 
service object of the first service object group can be dynamically distributed by 
the NOS to customized processors of the first set of processing elements to 
achieve desired computational support. The second set of customized services is 
configured by allocating a second service object group within the second set of 
VRs. The second service object group includes a service object corresponding to 
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each service of the second set of customized services and each service object of 
the second service object group can be dynamically distributed by the NOS to 
customized processors of the second set of processing elements to achieve desired 
computational support. 

Other features of embodiments of the present invention will be apparent 
from the accompanying drawings and from the detailed description that follows. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Embodiments of the present invention are illustrated by way of example, 
and not by way of limitation, in the figures of the accompanying drawings and in 
which like reference numerals refer to similar elements and in which: 

FIG. 1 is a block diagram illustrating an IP Service Delivery Platform in 
accordance with an embodiment of the present invention. 

FIG. 2 conceptually illustrates a POP access infrastructure in accordance 
with a network-based managed firewall service model of an embodiment of the 
present invention. 

FIG. 3 is a block diagram illustrating various services and functional units 
of an IPNOS in accordance with an embodiment of the present invention. 

FIG 4. conceptually illustrates interactions among various Object Manager 
layers in accordance with an embodiment of the present invention. 

FIG. 5 conceptually illustrates an exemplary mapping of virtual routers 
onto processor elements. 

FIG. 6 conceptually illustrates segmentation of a switch across a number 
of different subscribers in accordance with an embodiment of the present 
invention. 
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FIG. 7 is a block diagram illustrating two sub-layers of the network layer 
of the protocol stack in accordance with an embodiment of the present invention. 

FIG. 8 conceptually illustrates inter-module transfers during firewall flow 
processing in accordance with an embodiment of the present invention. 

FIG. 9 illustrates packet fragmentation and header content in accordance 
with an embodiment of the present invention. 

FIGS. 10, 11, 12 and 13 conceptually illustrate various forward and 
reverse flow scenarios in accordance with an embodiment of the present 
invention. 

FIG. 14 conceptually illustrates multi-point-to-point (MP-P) operation in 
accordance with an embodiment of the present invention. 

Please amend the paragraph starting at line 22 of page 10 as follows: 

The way that virtual routers map on processor elements can be understood 
in the context of Figure [[4]] 5. Figure [[4]] 5 shows a blade 28 having four 
processor elements (PEs) 30. Each processor element 30 includes a CPU and 
memory. In addition, each PE 30 is connected to the other PEs 30 and to the rest 
of switch 12 through connection fabric 32. In the embodiment shown in Figure 
[[4]] 5, two virtual routers 34 are mapped on blade 28. It should be noted that, in 
one embodiment, more than one virtual router can be mapped to a single PE 30, 
and vice versa. Blade 28 can, therefore, be a shred resource among two or more 
subscribers. 

Please amend the paragraph starting at line 31 of page 13 as follows: 

When shortcuts are created, an Object Channel termination will receive traffic 
from multiple Object Channel sources. That is, we need Consequently, according 
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to one embodiment, a multi-point-to-point (MP-P) Object Channel is used in the 
Flow Topology. The PRD for MP P describes the proposed implementation if 

Please amend the paragraph starting at line 38 of page 13 as follows: 

Both ends of a P-P [[uses]] use the initialization function obj_init_channel(). For 
MP-P, there will be 2 separate initialization function functions . For MP-P 
transmit, the initialization function is obj_mpp_tx_init_channel().[[.]] For MP-P 
receive,, the initialization function is obj_mpp_rx_init_channel(). (Please refer to 
the PRD for actual function names). There is also an anonymous mpp_send() 
function that can be used (and which is bound to the channel end point by 
obj_mpp_tx_init_channel() to send anonymously to [[an]] a channel end point 
without using the Object Channel abstraction. 

Please amend the Abstract as follows: 

A virtual routing system, including a virtual router operating across one or 
more processing elements. Methods and systems for allocating network resources 
are provided. According to one embodiment, a VR-based switch is configured for 
operation at a POP of a service provider. A NOS is provided on each processing 
element of the switch. Resources of the switch are segmented among multiple 
subscribers by associating sets of VRs with a first and second subscriber, mapping 
the sets of VRs onto sets of the processing elements, and configuring a first and 
second set of customized services, each including two or more of firewalling, 
virtual private networking, encryption, traffic shaping, routing and NAT, to be 
provided by the switch on behalf of the first and second subscribers, respectively, 
by allocating first and second service object groups within sets of VRs. Each 
service object can be dynamically distributed by the NOS to customized 
processors of the first or second set of processing elements to achieve desired 
computational support. 
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